[Git][security-tracker-team/security-tracker][master] Process some NFUs

Thu Feb 12 20:29:19 GMT 2026


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
924cadcd by Salvatore Bonaccorso at 2026-02-12T21:29:07+01:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,33 +1,33 @@
 CVE-2026-2276 (Reflected Cross-Site Scripting (XSS) vulnerability in the Wix web appl ...)
 	TODO: check
 CVE-2026-26219 (newbee-mall stores and verifies user passwords using an unsalted MD5 h ...)
-	TODO: check
+	NOT-FOR-US: newbee-mall
 CVE-2026-26218 (newbee-mall includes pre-seeded administrator accounts in its database ...)
-	TODO: check
+	NOT-FOR-US: newbee-mall
 CVE-2026-26217 (Crawl4AI versions prior to 0.8.0 contain a local file inclusion vulner ...)
-	TODO: check
+	NOT-FOR-US: Crawl4AI
 CVE-2026-26216 (Crawl4AI versions prior to 0.8.0 contain a remote code execution vulne ...)
-	TODO: check
+	NOT-FOR-US: Crawl4AI
 CVE-2026-26214 (Galaxy FDS Android SDK (XiaoMi/galaxy-fds-sdk-android) version 3.0.8 a ...)
-	TODO: check
+	NOT-FOR-US: Galaxy FDS Android SDK (XiaoMi/galaxy-fds-sdk-android)
 CVE-2026-25949 (Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.8, th ...)
 	TODO: check
 CVE-2026-25933 (Arduino App Lab is a cross-platform IDE for developing Arduino Apps. P ...)
-	TODO: check
+	NOT-FOR-US: Arduino App Lab
 CVE-2026-25922 (authentik is an open-source identity provider. Prior to 2025.8.6, 2025 ...)
-	TODO: check
+	NOT-FOR-US: authentik
 CVE-2026-25768 (LavinMQ is a high-performance message queue & streaming server. Before ...)
-	TODO: check
+	NOT-FOR-US: LavinMQ
 CVE-2026-25767 (LavinMQ is a high-performance message queue & streaming server. Before ...)
-	TODO: check
+	NOT-FOR-US: LavinMQ
 CVE-2026-25748 (authentik is an open-source identity provider. Prior to 2025.10.4 and  ...)
-	TODO: check
+	NOT-FOR-US: authentik
 CVE-2026-25227 (authentik is an open-source identity provider. From 2021.3.1 to before ...)
-	TODO: check
+	NOT-FOR-US: authentik
 CVE-2026-24895 (FrankenPHP is a modern application server for PHP. Prior to 1.11.2, Fr ...)
-	TODO: check
+	NOT-FOR-US: FrankenPHP
 CVE-2026-24894 (FrankenPHP is a modern application server for PHP. Prior to 1.11.2, wh ...)
-	TODO: check
+	NOT-FOR-US: FrankenPHP
 CVE-2026-24044 (Element Server Suite Community Edition (ESS Community) deploys a Matri ...)
 	TODO: check
 CVE-2026-22821 (mreporting is the more reporting GLPI plugin. Prior to 1.9.4, there is ...)
@@ -216,7 +216,7 @@ CVE-2026-26029 (sf-mcp-server is an implementation of Salesforce MCP server for
 CVE-2026-26023 (Dify is an open-source LLM app development platform. Prior to 1.13.0,  ...)
 	NOT-FOR-US: Dify
 CVE-2026-26021 (set-in provides the set value of nested associative structure given ar ...)
-	TODO: check
+	NOT-FOR-US: set-in Node.js module
 CVE-2026-26019 (LangChain is a framework for building LLM-powered applications. Prior  ...)
 	NOT-FOR-US: LangChain
 CVE-2026-26014 (Pion DTLS is a Go implementation of Datagram Transport Layer Security. ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/924cadcdd4b3b6e5e8883e2831bc9323c168766c

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/924cadcdd4b3b6e5e8883e2831bc9323c168766c
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260212/535f0945/attachment.htm>
